locked
windows 10 1607 ,cannot apply windows update policy RRS feed

  • Question

  • Hello everyone,

    i have windows server 2008R2 and windows 10 1607, created GPO and configured automatic updates. open windows 10 and run gpupdate /force, open windows updates the policy not applied. i also configured WSUS, the client not registered in WSUS.

    this is a test lab

    any ideas for this?

    • Moved by Amy Wang_ Friday, March 17, 2017 1:33 AM from RDS forum
    Thursday, March 16, 2017 2:42 PM

Answers

  • Hi islam mohaned Hussein,

    1. Please check if the win10 1607 clients are included in the GPO OU;

    2. After run gpupdate /force on the clients, also run gpresult /h C:\report.html to check the apply result;

    3. To enable clients register in WSUS server, we need to ensure the GPO is configured and applied correctly, and the port is allowed in firewall, if all the things are correct while they still not show up in WSUS console, we may reset SUSClientID on clients:

    Reset SusClientId:
    1). In cmd, net stop wuauserv

    2). Delete the value in registry key " SusClientId " and "SusClientIDValidation" locates in:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate

    3). In cmd, net start wuauserv
         wuauclt.exe /resetauthorization /detectnow

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, March 17, 2017 6:26 AM
  • Am 16.03.2017 schrieb awbruso6:

    i have windows server 2008R2 and windows 10 1607, created GPO and configured automatic updates. open windows 10 and run gpupdate /force, open windows updates the policy not applied. i also configured WSUS, the client not registered in WSUS.

    Bring your WSUS up2date:

    WSUS 3.0 (SP2):    Build 3.2.7600.226
    WSUS 3.0 (SP2) + KB2720211:    Build 3.2.7600.251
    WSUS 3.0 (SP2) + KB2734608:    Build 3.2.7600.256
    WSUS 3.0 (SP2) + KB2828185:    Build 3.2.7600.262
    WSUS 3.0 (SP2) + KB2938066:    Build 3.2.7600.274

    For W10 1607 you need a third WSUS Entry:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

    UpdateServiceUrlAlternate

    http://YourWSUS

    You can find this settings in the latest WU-ADM Templates.

    Winfried


    WSUS Package Publisher: http://wsuspackagepublisher.codeplex.com/
    http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
    http://www.wsuswiki.com/Home

    • Marked as answer by islam mhmd Thursday, March 23, 2017 11:27 AM
    Friday, March 17, 2017 4:56 PM
  • Am 18.03.2017 schrieb islam mohamed hussein:

    The windows 10 client already included in the GPO OU. the gpresult shows that the windows update policy applied. but, when open the policy in local group policy console of client  shows the policy not configured

    GPEDIT.MSC shows only Settings, if they modified IN gpedit.msc.
    Settings made with GPMC.MSC you don't see with GPEDIT.MSC.

    Winfried


    WSUS Package Publisher: http://wsuspackagepublisher.codeplex.com/
    http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
    http://www.wsuswiki.com/Home

    Saturday, March 18, 2017 10:44 PM
  • The windows 10 client already included in the GPO OU. the gpresult shows that the windows update policy applied. but, when open the policy in local group policy console of client  shows the policy not configured

    Hi islam,

    The GPO will not reflect in the local group policy, after applying the GPO, it will modify the registry keys in clients, please check HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate, check the WUServer and WUStatusServer URL is correct:

    By the way, is your WSUS server 2008R2? If yes, you need to upgrade your WSUS server to WSUS 4.0 or WSUS 2016, WSUS 2008R2 do not support windows 10 1607 clients, it only support the minimal updates for windows 10.

    What's more, if you WSUS is 4.0 or higher, the registry settings are correct, while the clients still not show up, please reset SUSClientID, check the result.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, March 20, 2017 6:42 AM
  • Hi islam mhmd,

    Actually, on windows 10 1607, no matter what AU options we set, it will download updates automatically as soon as it detect windows updates.

    After applying the policy, the windows update panel will like this:

    It is different from the pervious OS. If you want to disable clients to update from Internet, we use GPO "Turn off access to all windows update feature" in Computer configuration/Administrative Templates/System/Internet Communication Management. Then, run gpupdate /force on clients, the check online option will be hidden:

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by islam mhmd Thursday, March 23, 2017 11:17 AM
    Thursday, March 23, 2017 9:03 AM

All replies

  • Hi islam mohaned Hussein,

    1. Please check if the win10 1607 clients are included in the GPO OU;

    2. After run gpupdate /force on the clients, also run gpresult /h C:\report.html to check the apply result;

    3. To enable clients register in WSUS server, we need to ensure the GPO is configured and applied correctly, and the port is allowed in firewall, if all the things are correct while they still not show up in WSUS console, we may reset SUSClientID on clients:

    Reset SusClientId:
    1). In cmd, net stop wuauserv

    2). Delete the value in registry key " SusClientId " and "SusClientIDValidation" locates in:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate

    3). In cmd, net start wuauserv
         wuauclt.exe /resetauthorization /detectnow

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, March 17, 2017 6:26 AM
  • Am 16.03.2017 schrieb awbruso6:

    i have windows server 2008R2 and windows 10 1607, created GPO and configured automatic updates. open windows 10 and run gpupdate /force, open windows updates the policy not applied. i also configured WSUS, the client not registered in WSUS.

    Bring your WSUS up2date:

    WSUS 3.0 (SP2):    Build 3.2.7600.226
    WSUS 3.0 (SP2) + KB2720211:    Build 3.2.7600.251
    WSUS 3.0 (SP2) + KB2734608:    Build 3.2.7600.256
    WSUS 3.0 (SP2) + KB2828185:    Build 3.2.7600.262
    WSUS 3.0 (SP2) + KB2938066:    Build 3.2.7600.274

    For W10 1607 you need a third WSUS Entry:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

    UpdateServiceUrlAlternate

    http://YourWSUS

    You can find this settings in the latest WU-ADM Templates.

    Winfried


    WSUS Package Publisher: http://wsuspackagepublisher.codeplex.com/
    http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
    http://www.wsuswiki.com/Home

    • Marked as answer by islam mhmd Thursday, March 23, 2017 11:27 AM
    Friday, March 17, 2017 4:56 PM
  • The windows 10 client already included in the GPO OU. the gpresult shows that the windows update policy applied. but, when open the policy in local group policy console of client  shows the policy not configured
    Saturday, March 18, 2017 7:47 PM
  • Am 18.03.2017 schrieb islam mohamed hussein:

    The windows 10 client already included in the GPO OU. the gpresult shows that the windows update policy applied. but, when open the policy in local group policy console of client  shows the policy not configured

    GPEDIT.MSC shows only Settings, if they modified IN gpedit.msc.
    Settings made with GPMC.MSC you don't see with GPEDIT.MSC.

    Winfried


    WSUS Package Publisher: http://wsuspackagepublisher.codeplex.com/
    http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
    http://www.wsuswiki.com/Home

    Saturday, March 18, 2017 10:44 PM
  • For W10 1607 you need a third WSUS Entry:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

    UpdateServiceUrlAlternate

    Following the path ,don't find "updateserviceurlalternate"

    Sunday, March 19, 2017 2:42 PM
  • Am 19.03.2017 schrieb islam mohamed hussein:

    For W10 1607 you need a third WSUS Entry:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

    UpdateServiceUrlAlternate

    Following the path ,don't find "updateserviceurlalternate"

    If there isn't the third entry, create a new one.

    Winfried


    WSUS Package Publisher: http://wsuspackagepublisher.codeplex.com/
    http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
    http://www.wsuswiki.com/Home

    • Marked as answer by islam mhmd Thursday, March 23, 2017 8:21 AM
    • Unmarked as answer by islam mhmd Thursday, March 23, 2017 8:22 AM
    Sunday, March 19, 2017 8:19 PM
  • The windows 10 client already included in the GPO OU. the gpresult shows that the windows update policy applied. but, when open the policy in local group policy console of client  shows the policy not configured

    Hi islam,

    The GPO will not reflect in the local group policy, after applying the GPO, it will modify the registry keys in clients, please check HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate, check the WUServer and WUStatusServer URL is correct:

    By the way, is your WSUS server 2008R2? If yes, you need to upgrade your WSUS server to WSUS 4.0 or WSUS 2016, WSUS 2008R2 do not support windows 10 1607 clients, it only support the minimal updates for windows 10.

    What's more, if you WSUS is 4.0 or higher, the registry settings are correct, while the clients still not show up, please reset SUSClientID, check the result.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, March 20, 2017 6:42 AM
  • The client is registered in wsus ,but the client still can search for updates online and change update settings
    Tuesday, March 21, 2017 9:12 AM
  • The client is registered in wsus ,but the client still can search for updates online and change update settings

    Hi,

    Then, what is your detailed requirement now? Seems the original questions in your original post has been solved, is it?

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by islam mhmd Thursday, March 23, 2017 8:21 AM
    • Unmarked as answer by islam mhmd Thursday, March 23, 2017 8:21 AM
    • Marked as answer by islam mhmd Thursday, March 23, 2017 8:22 AM
    • Unmarked as answer by islam mhmd Thursday, March 23, 2017 8:22 AM
    Thursday, March 23, 2017 3:26 AM

  • Hi,

    Then, what is your detailed requirement now? Seems the original questions in your original post has been solved, is it?

    Best Regards,

    Anne


    I mean in previous version of windows 10, When i open windows update setting dimmed "managed by your organization". but with version 1607 not dimmed

    Thursday, March 23, 2017 8:26 AM
  • Hi islam mhmd,

    Actually, on windows 10 1607, no matter what AU options we set, it will download updates automatically as soon as it detect windows updates.

    After applying the policy, the windows update panel will like this:

    It is different from the pervious OS. If you want to disable clients to update from Internet, we use GPO "Turn off access to all windows update feature" in Computer configuration/Administrative Templates/System/Internet Communication Management. Then, run gpupdate /force on clients, the check online option will be hidden:

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by islam mhmd Thursday, March 23, 2017 11:17 AM
    Thursday, March 23, 2017 9:03 AM
  • Thanks for your help Anne
    Thursday, March 23, 2017 11:18 AM